/*
* Set the audit userid, for a process. This can only be changed by
* privileged processes. The audit userid is inherited across forks & execs.
* Passed in is a pointer to the au_id_t; if copyin unsuccessful return EFAULT.
*/
int
setauid(caddr_t auid_p)
{
proc_t *p;
au_id_t auid;
cred_t *newcred;
auditinfo_addr_t *auinfo;
if (secpolicy_audit_config(CRED()) != 0)
return (EPERM);
if (copyin(auid_p, &auid, sizeof (au_id_t))) {
return (EFAULT);
}
newcred = cralloc();
if ((auinfo = crgetauinfo_modifiable(newcred)) == NULL) {
crfree(newcred);
return (EINVAL);
}
/* grab p_crlock and switch to new cred */
p = curproc;
mutex_enter(&p->p_crlock);
crcopy_to(p->p_cred, newcred);
p->p_cred = newcred;
auinfo->ai_auid = auid; /* update the auid */
/* unlock and broadcast the cred changes */
mutex_exit(&p->p_crlock);
crset(p, newcred);
return (0);
}
/*
* Set the audit state information for the current process.
* Return EFAULT if copyout fails.
*/
int
setaudit(caddr_t info_p)
{
STRUCT_DECL(auditinfo, info);
proc_t *p;
cred_t *newcred;
model_t model;
auditinfo_addr_t *ainfo;
if (secpolicy_audit_config(CRED()) != 0)
return (EPERM);
model = get_udatamodel();
STRUCT_INIT(info, model);
if (copyin(info_p, STRUCT_BUF(info), STRUCT_SIZE(info)))
return (EFAULT);
newcred = cralloc();
if ((ainfo = crgetauinfo_modifiable(newcred)) == NULL) {
crfree(newcred);
return (EINVAL);
}
/* grab p_crlock and switch to new cred */
p = curproc;
mutex_enter(&p->p_crlock);
crcopy_to(p->p_cred, newcred);
p->p_cred = newcred;
/* Set audit mask, id, termid and session id as specified */
ainfo->ai_auid = STRUCT_FGET(info, ai_auid);
#ifdef _LP64
/* only convert to 64 bit if coming from a 32 bit binary */
if (model == DATAMODEL_ILP32)
ainfo->ai_termid.at_port =
DEVEXPL(STRUCT_FGET(info, ai_termid.port));
else
ainfo->ai_termid.at_port = STRUCT_FGET(info, ai_termid.port);
#else
ainfo->ai_termid.at_port = STRUCT_FGET(info, ai_termid.port);
#endif
ainfo->ai_termid.at_type = AU_IPv4;
ainfo->ai_termid.at_addr[0] = STRUCT_FGET(info, ai_termid.machine);
ainfo->ai_asid = STRUCT_FGET(info, ai_asid);
ainfo->ai_mask = STRUCT_FGET(info, ai_mask);
/* unlock and broadcast the cred changes */
mutex_exit(&p->p_crlock);
crset(p, newcred);
return (0);
}
/*
* Register the klpd.
* If the pid_t passed in is positive, update the registration for
* the specific process; that is only possible if the process already
* has a registration on it. This change of registration will affect
* all processes which share common ancestry.
*
* MY_PID (pid 0) can be used to create or change the context for
* the current process, typically done after fork().
*
* A negative value can be used to register a klpd globally.
*
* The per-credential klpd needs to be cleaned up when entering
* a zone or unsetting the flag.
*/
int
klpd_reg(int did, idtype_t type, id_t id, priv_set_t *psetbuf)
{
cred_t *cr = CRED();
door_handle_t dh;
klpd_reg_t *kpd;
priv_set_t pset;
door_info_t di;
credklpd_t *ckp = NULL;
pid_t pid = -1;
projid_t proj = -1;
kproject_t *kpp = NULL;
if (CR_FLAGS(cr) & PRIV_XPOLICY)
return (set_errno(EINVAL));
if (copyin(psetbuf, &pset, sizeof (priv_set_t)))
return (set_errno(EFAULT));
if (!priv_issubset(&pset, &CR_OEPRIV(cr)))
return (set_errno(EPERM));
switch (type) {
case P_PID:
pid = (pid_t)id;
if (pid == P_MYPID)
pid = curproc->p_pid;
if (pid == curproc->p_pid)
ckp = crklpd_alloc();
break;
case P_PROJID:
proj = (projid_t)id;
kpp = project_hold_by_id(proj, crgetzone(cr),
PROJECT_HOLD_FIND);
if (kpp == NULL)
return (set_errno(ESRCH));
break;
default:
return (set_errno(ENOTSUP));
}
/*
* Verify the door passed in; it must be a door and we won't
* allow processes to be called on their own behalf.
*/
dh = door_ki_lookup(did);
if (dh == NULL || door_ki_info(dh, &di) != 0) {
if (ckp != NULL)
crklpd_rele(ckp);
if (kpp != NULL)
project_rele(kpp);
return (set_errno(EBADF));
}
if (type == P_PID && pid == di.di_target) {
if (ckp != NULL)
crklpd_rele(ckp);
ASSERT(kpp == NULL);
return (set_errno(EINVAL));
}
kpd = kmem_zalloc(sizeof (*kpd), KM_SLEEP);
crhold(kpd->klpd_cred = cr);
kpd->klpd_door = dh;
kpd->klpd_door_pid = di.di_target;
kpd->klpd_ref = 1;
kpd->klpd_pset = pset;
if (kpp != NULL) {
mutex_enter(&klpd_mutex);
kpd = klpd_link(kpd, &kpp->kpj_klpd, B_TRUE);
mutex_exit(&klpd_mutex);
if (kpd != NULL)
klpd_rele(kpd);
project_rele(kpp);
} else if ((int)pid < 0) {
/* Global daemon */
mutex_enter(&klpd_mutex);
(void) klpd_link(kpd, &klpd_list, B_FALSE);
mutex_exit(&klpd_mutex);
} else if (pid == curproc->p_pid) {
proc_t *p = curproc;
cred_t *newcr = cralloc();
/* No need to lock, sole reference to ckp */
kpd = klpd_link(kpd, &ckp->crkl_reg, B_TRUE);
if (kpd != NULL)
klpd_rele(kpd);
mutex_enter(&p->p_crlock);
cr = p->p_cred;
crdup_to(cr, newcr);
crsetcrklpd(newcr, ckp);
p->p_cred = newcr; /* Already held for p_cred */
crhold(newcr); /* Hold once for the current thread */
mutex_exit(&p->p_crlock);
crfree(cr); /* One for the p_cred */
crset(p, newcr);
} else {
proc_t *p;
cred_t *pcr;
mutex_enter(&pidlock);
p = prfind(pid);
if (p == NULL || !prochasprocperm(p, curproc, CRED())) {
mutex_exit(&pidlock);
klpd_rele(kpd);
return (set_errno(p == NULL ? ESRCH : EPERM));
}
mutex_enter(&p->p_crlock);
crhold(pcr = p->p_cred);
mutex_exit(&pidlock);
mutex_exit(&p->p_crlock);
/*
* We're going to update the credential's ckp in place;
* this requires that it exists.
*/
ckp = crgetcrklpd(pcr);
if (ckp == NULL) {
crfree(pcr);
klpd_rele(kpd);
return (set_errno(EINVAL));
}
crklpd_setreg(ckp, kpd);
crfree(pcr);
}
return (0);
}
/*
* Set the audit state information for the current process.
* Return EFAULT if copyin fails.
*/
int
setaudit_addr(caddr_t info_p, int len)
{
STRUCT_DECL(auditinfo_addr, info);
proc_t *p;
cred_t *newcred;
model_t model;
int i;
int type;
auditinfo_addr_t *ainfo;
if (secpolicy_audit_config(CRED()) != 0)
return (EPERM);
model = get_udatamodel();
STRUCT_INIT(info, model);
if (len < STRUCT_SIZE(info))
return (EOVERFLOW);
if (copyin(info_p, STRUCT_BUF(info), STRUCT_SIZE(info)))
return (EFAULT);
type = STRUCT_FGET(info, ai_termid.at_type);
if ((type != AU_IPv4) && (type != AU_IPv6))
return (EINVAL);
newcred = cralloc();
if ((ainfo = crgetauinfo_modifiable(newcred)) == NULL) {
crfree(newcred);
return (EINVAL);
}
/* grab p_crlock and switch to new cred */
p = curproc;
mutex_enter(&p->p_crlock);
crcopy_to(p->p_cred, newcred);
p->p_cred = newcred;
/* Set audit mask, id, termid and session id as specified */
ainfo->ai_auid = STRUCT_FGET(info, ai_auid);
ainfo->ai_mask = STRUCT_FGET(info, ai_mask);
#ifdef _LP64
/* only convert to 64 bit if coming from a 32 bit binary */
if (model == DATAMODEL_ILP32)
ainfo->ai_termid.at_port =
DEVEXPL(STRUCT_FGET(info, ai_termid.at_port));
else
ainfo->ai_termid.at_port = STRUCT_FGET(info, ai_termid.at_port);
#else
ainfo->ai_termid.at_port = STRUCT_FGET(info, ai_termid.at_port);
#endif
ainfo->ai_termid.at_type = type;
bzero(&ainfo->ai_termid.at_addr[0], sizeof (ainfo->ai_termid.at_addr));
for (i = 0; i < (type/sizeof (int)); i++)
ainfo->ai_termid.at_addr[i] =
STRUCT_FGET(info, ai_termid.at_addr[i]);
if (ainfo->ai_termid.at_type == AU_IPv6 &&
IN6_IS_ADDR_V4MAPPED(((in6_addr_t *)ainfo->ai_termid.at_addr))) {
ainfo->ai_termid.at_type = AU_IPv4;
ainfo->ai_termid.at_addr[0] = ainfo->ai_termid.at_addr[3];
ainfo->ai_termid.at_addr[1] = 0;
ainfo->ai_termid.at_addr[2] = 0;
ainfo->ai_termid.at_addr[3] = 0;
}
ainfo->ai_asid = STRUCT_FGET(info, ai_asid);
/* unlock and broadcast the cred changes */
mutex_exit(&p->p_crlock);
crset(p, newcred);
return (0);
}
int
setgid(gid_t gid)
{
proc_t *p;
int error;
int do_nocd = 0;
cred_t *cr, *newcr;
ksid_t ksid, *ksp;
zone_t *zone = crgetzone(CRED());
if (!VALID_GID(gid, zone))
return (set_errno(EINVAL));
if (gid > MAXUID) {
if (ksid_lookupbygid(zone, gid, &ksid) != 0)
return (set_errno(EINVAL));
ksp = &ksid;
} else {
ksp = NULL;
}
/*
* Need to pre-allocate the new cred structure before grabbing
* the p_crlock mutex. We cannot hold the mutex across the
* secpolicy functions.
*/
newcr = cralloc_ksid();
p = ttoproc(curthread);
mutex_enter(&p->p_crlock);
retry:
cr = p->p_cred;
crhold(cr);
mutex_exit(&p->p_crlock);
if ((gid == cr->cr_rgid || gid == cr->cr_sgid) &&
secpolicy_allow_setid(cr, -1, B_TRUE) != 0) {
mutex_enter(&p->p_crlock);
crfree(cr);
if (cr != p->p_cred)
goto retry;
error = 0;
crcopy_to(cr, newcr);
p->p_cred = newcr;
newcr->cr_gid = gid;
crsetsid(newcr, ksp, KSID_GROUP);
mutex_exit(&p->p_crlock);
} else if ((error = secpolicy_allow_setid(cr, -1, B_FALSE)) == 0) {
mutex_enter(&p->p_crlock);
crfree(cr);
if (cr != p->p_cred)
goto retry;
/*
* A privileged process that makes itself look like a
* set-gid process must be marked to produce no core dump.
*/
if (cr->cr_gid != gid ||
cr->cr_rgid != gid ||
cr->cr_sgid != gid)
do_nocd = 1;
crcopy_to(cr, newcr);
p->p_cred = newcr;
newcr->cr_gid = gid;
newcr->cr_rgid = gid;
newcr->cr_sgid = gid;
crsetsid(newcr, ksp, KSID_GROUP);
mutex_exit(&p->p_crlock);
} else {
crfree(newcr);
crfree(cr);
if (ksp != NULL)
ksid_rele(ksp);
}
if (error == 0) {
if (do_nocd) {
mutex_enter(&p->p_lock);
p->p_flag |= SNOCD;
mutex_exit(&p->p_lock);
}
crset(p, newcr); /* broadcast to process threads */
return (0);
}
return (set_errno(error));
}
/*
* setppriv (priv_op_t, priv_ptype_t, priv_set_t)
*/
static int
setppriv(priv_op_t op, priv_ptype_t type, priv_set_t *in_pset)
{
priv_set_t pset, *target;
cred_t *cr, *pcr;
proc_t *p;
boolean_t donocd = B_FALSE;
if (!PRIV_VALIDSET(type) || !PRIV_VALIDOP(op))
return (set_errno(EINVAL));
if (copyin(in_pset, &pset, sizeof (priv_set_t)))
return (set_errno(EFAULT));
p = ttoproc(curthread);
cr = cralloc();
mutex_enter(&p->p_crlock);
retry:
pcr = p->p_cred;
if (AU_AUDITING())
audit_setppriv(op, type, &pset, pcr);
/*
* Filter out unallowed request (bad op and bad type)
*/
switch (op) {
case PRIV_ON:
case PRIV_SET:
/*
* Turning on privileges; the limit set cannot grow,
* other sets can but only as long as they remain subsets
* of P. Only immediately after exec holds that P <= L.
*/
if (type == PRIV_LIMIT &&
!priv_issubset(&pset, &CR_LPRIV(pcr))) {
mutex_exit(&p->p_crlock);
crfree(cr);
return (set_errno(EPERM));
}
if (!priv_issubset(&pset, &CR_OPPRIV(pcr)) &&
!priv_issubset(&pset, priv_getset(pcr, type))) {
mutex_exit(&p->p_crlock);
/* Policy override should not grow beyond L either */
if (type != PRIV_INHERITABLE ||
!priv_issubset(&pset, &CR_LPRIV(pcr)) ||
secpolicy_require_privs(CRED(), &pset) != 0) {
crfree(cr);
return (set_errno(EPERM));
}
mutex_enter(&p->p_crlock);
if (pcr != p->p_cred)
goto retry;
donocd = B_TRUE;
}
break;
case PRIV_OFF:
/* PRIV_OFF is always allowed */
break;
}
/*
* OK! everything is cool.
* Do cred COW.
*/
crcopy_to(pcr, cr);
/*
* If we change the effective, permitted or limit set, we attain
* "privilege awareness".
*/
if (type != PRIV_INHERITABLE)
priv_set_PA(cr);
target = &(CR_PRIVS(cr)->crprivs[type]);
switch (op) {
case PRIV_ON:
priv_union(&pset, target);
break;
case PRIV_OFF:
priv_inverse(&pset);
priv_intersect(target, &pset);
/*
* Fall-thru to set target and change other process
* privilege sets.
*/
/*FALLTHRU*/
case PRIV_SET:
*target = pset;
/*
* Take privileges no longer permitted out
* of other effective sets as well.
* Limit set is enforced at exec() time.
*/
if (type == PRIV_PERMITTED)
priv_intersect(&pset, &CR_EPRIV(cr));
break;
}
/*
* When we give up privileges not in the inheritable set,
* set SNOCD if not already set; first we compute the
* privileges removed from P using Diff = (~P') & P
* and then we check whether the removed privileges are
* a subset of I. If we retain uid 0, all privileges
* are required anyway so don't set SNOCD.
*/
if (type == PRIV_PERMITTED && (p->p_flag & SNOCD) == 0 &&
cr->cr_uid != 0 && cr->cr_ruid != 0 && cr->cr_suid != 0) {
priv_set_t diff = CR_OPPRIV(cr);
priv_inverse(&diff);
priv_intersect(&CR_OPPRIV(pcr), &diff);
donocd = !priv_issubset(&diff, &CR_IPRIV(cr));
}
p->p_cred = cr;
mutex_exit(&p->p_crlock);
if (donocd) {
mutex_enter(&p->p_lock);
p->p_flag |= SNOCD;
mutex_exit(&p->p_lock);
}
/*
* The basic_test privilege should not be removed from E;
* if that has happened, then some programmer typically set the E/P to
* empty. That is not portable.
*/
if ((type == PRIV_EFFECTIVE || type == PRIV_PERMITTED) &&
priv_basic_test >= 0 && !PRIV_ISASSERT(target, priv_basic_test)) {
proc_t *p = curproc;
pid_t pid = p->p_pid;
char *fn = PTOU(p)->u_comm;
cmn_err(CE_WARN, "%s[%d]: setppriv: basic_test privilege "
"removed from E/P", fn, pid);
}
crset(p, cr); /* broadcast to process threads */
return (0);
}
/*
* Buy-back from SunOS 4.x
*
* Like setgid() and setegid() combined -except- that non-root users
* can change cr_rgid to cr_gid, and the semantics of cr_sgid are
* subtly different.
*/
int
setregid(gid_t rgid, gid_t egid)
{
proc_t *p;
int error = EPERM;
int do_nocd = 0;
cred_t *cr, *newcr;
ksid_t ksid, *ksp;
zone_t *zone = crgetzone(CRED());
if ((rgid != -1 && !VALID_GID(rgid, zone)) ||
(egid != -1 && !VALID_GID(egid, zone)))
return (set_errno(EINVAL));
if (egid != -1 && egid > MAXUID) {
if (ksid_lookupbygid(zone, egid, &ksid) != 0)
return (set_errno(EINVAL));
ksp = &ksid;
} else {
ksp = NULL;
}
/*
* Need to pre-allocate the new cred structure before grabbing
* the p_crlock mutex.
*/
newcr = cralloc_ksid();
p = ttoproc(curthread);
mutex_enter(&p->p_crlock);
cr = p->p_cred;
if ((rgid == -1 ||
rgid == cr->cr_rgid || rgid == cr->cr_gid || rgid == cr->cr_sgid) &&
(egid == -1 || egid == cr->cr_rgid || egid == cr->cr_gid ||
egid == cr->cr_sgid) ||
(error = secpolicy_allow_setid(cr, -1, B_FALSE)) == 0) {
crhold(cr);
crcopy_to(cr, newcr);
p->p_cred = newcr;
if (egid != -1) {
newcr->cr_gid = egid;
crsetsid(newcr, ksp, KSID_GROUP);
}
if (rgid != -1)
newcr->cr_rgid = rgid;
/*
* "If the real gid is being changed, or the effective gid is
* being changed to a value not equal to the real gid, the
* saved gid is set to the new effective gid."
*/
if (rgid != -1 ||
(egid != -1 && newcr->cr_gid != newcr->cr_rgid))
newcr->cr_sgid = newcr->cr_gid;
/*
* A privileged process that makes itself look like a
* set-gid process must be marked to produce no core dump.
*/
if ((cr->cr_gid != newcr->cr_gid ||
cr->cr_rgid != newcr->cr_rgid ||
cr->cr_sgid != newcr->cr_sgid) && error == 0)
do_nocd = 1;
error = 0;
crfree(cr);
}
mutex_exit(&p->p_crlock);
if (error == 0) {
if (do_nocd) {
mutex_enter(&p->p_lock);
p->p_flag |= SNOCD;
mutex_exit(&p->p_lock);
}
crset(p, newcr); /* broadcast to process threads */
return (0);
}
crfree(newcr);
if (ksp != NULL)
ksid_rele(ksp);
return (set_errno(error));
}
/*
* This function is based on setreuid in common/syscall/uid.c and exists
* because Solaris does not have a way to explicitly set the saved uid (suid)
* from any other system call.
*/
long
lx_setresuid(l_uid_t ruid, l_uid_t euid, l_uid_t suid)
{
proc_t *p;
int error = 0;
int do_nocd = 0;
int uidchge = 0;
uid_t oldruid = ruid;
cred_t *cr, *newcr;
zoneid_t zoneid = getzoneid();
if ((ruid != -1 && (ruid > MAXUID)) ||
(euid != -1 && (euid > MAXUID)) ||
(suid != -1 && (suid > MAXUID))) {
error = EINVAL;
goto done;
}
/*
* Need to pre-allocate the new cred structure before grabbing
* the p_crlock mutex.
*/
newcr = cralloc();
p = ttoproc(curthread);
retry:
mutex_enter(&p->p_crlock);
cr = p->p_cred;
if (ruid != -1 &&
ruid != cr->cr_ruid && ruid != cr->cr_uid &&
ruid != cr->cr_suid && secpolicy_allow_setid(cr, ruid, B_FALSE)) {
error = EPERM;
} else if (euid != -1 &&
euid != cr->cr_ruid && euid != cr->cr_uid &&
euid != cr->cr_suid && secpolicy_allow_setid(cr, euid, B_FALSE)) {
error = EPERM;
} else if (suid != -1 &&
suid != cr->cr_ruid && suid != cr->cr_uid &&
suid != cr->cr_suid && secpolicy_allow_setid(cr, suid, B_FALSE)) {
error = EPERM;
} else {
if (!uidchge && ruid != -1 && cr->cr_ruid != ruid) {
/*
* The ruid of the process is going to change. In order
* to avoid a race condition involving the
* process count associated with the newly given ruid,
* we increment the count before assigning the
* credential to the process.
* To do that, we'll have to take pidlock, so we first
* release p_crlock.
*/
mutex_exit(&p->p_crlock);
uidchge = 1;
mutex_enter(&pidlock);
upcount_inc(ruid, zoneid);
mutex_exit(&pidlock);
/*
* As we released p_crlock we can't rely on the cr
* we read. So retry the whole thing.
*/
goto retry;
}
crhold(cr);
crcopy_to(cr, newcr);
p->p_cred = newcr;
if (euid != -1)
newcr->cr_uid = euid;
if (suid != -1)
newcr->cr_suid = suid;
if (ruid != -1) {
oldruid = newcr->cr_ruid;
newcr->cr_ruid = ruid;
ASSERT(ruid != oldruid ? uidchge : 1);
}
/*
* A process that gives up its privilege
* must be marked to produce no core dump.
*/
if ((cr->cr_uid != newcr->cr_uid ||
cr->cr_ruid != newcr->cr_ruid ||
cr->cr_suid != newcr->cr_suid))
do_nocd = 1;
crfree(cr);
}
mutex_exit(&p->p_crlock);
/*
* We decrement the number of processes associated with the oldruid
* to match the increment above, even if the ruid of the process
* did not change or an error occurred (oldruid == uid).
*/
if (uidchge) {
ASSERT(oldruid != -1 && ruid != -1);
mutex_enter(&pidlock);
upcount_dec(oldruid, zoneid);
mutex_exit(&pidlock);
}
if (error == 0) {
if (do_nocd) {
mutex_enter(&p->p_lock);
p->p_flag |= SNOCD;
mutex_exit(&p->p_lock);
}
crset(p, newcr); /* broadcast to process threads */
goto done;
}
crfree(newcr);
done:
if (error)
return (set_errno(error));
else
return (0);
}
int
setpflags(uint_t flag, uint_t val, cred_t *tcr)
{
cred_t *cr, *pcr;
proc_t *p = curproc;
uint_t newflags;
boolean_t use_curcred = (tcr == NULL);
if (val > 1 || (flag != PRIV_DEBUG && flag != PRIV_AWARE &&
flag != NET_MAC_AWARE && flag != NET_MAC_AWARE_INHERIT &&
flag != __PROC_PROTECT && flag != PRIV_XPOLICY &&
flag != PRIV_AWARE_RESET && flag != PRIV_PFEXEC)) {
return (EINVAL);
}
if (flag == __PROC_PROTECT) {
mutex_enter(&p->p_lock);
if (val == 0)
p->p_flag &= ~SNOCD;
else
p->p_flag |= SNOCD;
mutex_exit(&p->p_lock);
return (0);
}
if (use_curcred) {
cr = cralloc();
mutex_enter(&p->p_crlock);
pcr = p->p_cred;
} else {
cr = pcr = tcr;
}
newflags = CR_FLAGS(pcr);
if (val != 0) {
if (flag == PRIV_AWARE)
newflags &= ~PRIV_AWARE_RESET;
newflags |= flag;
} else {
newflags &= ~flag;
}
/* No change */
if (CR_FLAGS(pcr) == newflags) {
if (use_curcred) {
mutex_exit(&p->p_crlock);
crfree(cr);
}
return (0);
}
/*
* Setting either the NET_MAC_AWARE or NET_MAC_AWARE_INHERIT
* flags is a restricted operation.
*
* When invoked via the PRIVSYS_SETPFLAGS syscall
* we require that the current cred has the net_mac_aware
* privilege in its effective set.
*
* When called from within the kernel by label-aware
* services such as NFS, we don't require a privilege check.
*
*/
if ((flag == NET_MAC_AWARE || flag == NET_MAC_AWARE_INHERIT) &&
(val == 1) && use_curcred) {
if (secpolicy_net_mac_aware(pcr) != 0) {
mutex_exit(&p->p_crlock);
crfree(cr);
return (EPERM);
}
}
/* Trying to unset PA; if we can't, return an error */
if (flag == PRIV_AWARE && val == 0 && !priv_can_clear_PA(pcr)) {
if (use_curcred) {
mutex_exit(&p->p_crlock);
crfree(cr);
}
return (EPERM);
}
/* Committed to changing the flag */
if (use_curcred)
crcopy_to(pcr, cr);
if (flag == PRIV_AWARE) {
if (val != 0)
priv_set_PA(cr);
else
priv_adjust_PA(cr);
} else {
CR_FLAGS(cr) = newflags;
}
/*
* Unsetting the flag has as side effect getting rid of
* the per-credential policy.
*/
if (flag == PRIV_XPOLICY && val == 0)
crsetcrklpd(cr, NULL);
if (use_curcred) {
p->p_cred = cr;
mutex_exit(&p->p_crlock);
crset(p, cr);
}
return (0);
}
/*
* This function is based on setregid in common/syscall/gid.c
*/
long
lx_setresgid(l_gid_t rgid, l_gid_t egid, l_gid_t sgid)
{
proc_t *p;
int error = 0;
int do_nocd = 0;
cred_t *cr, *newcr;
if ((rgid != -1 && (rgid > MAXUID)) ||
(egid != -1 && (egid > MAXUID)) ||
(sgid != -1 && (sgid > MAXUID))) {
error = EINVAL;
goto done;
}
/*
* Need to pre-allocate the new cred structure before grabbing
* the p_crlock mutex.
*/
newcr = cralloc();
p = ttoproc(curthread);
mutex_enter(&p->p_crlock);
cr = p->p_cred;
if (rgid != -1 &&
rgid != cr->cr_rgid && rgid != cr->cr_gid &&
rgid != cr->cr_sgid && secpolicy_allow_setid(cr, -1, B_FALSE)) {
error = EPERM;
} else if (egid != -1 &&
egid != cr->cr_rgid && egid != cr->cr_gid &&
egid != cr->cr_sgid && secpolicy_allow_setid(cr, -1, B_FALSE)) {
error = EPERM;
} else if (sgid != -1 &&
sgid != cr->cr_rgid && sgid != cr->cr_gid &&
sgid != cr->cr_sgid && secpolicy_allow_setid(cr, -1, B_FALSE)) {
error = EPERM;
} else {
crhold(cr);
crcopy_to(cr, newcr);
p->p_cred = newcr;
if (egid != -1)
newcr->cr_gid = egid;
if (sgid != -1)
newcr->cr_sgid = sgid;
if (rgid != -1)
newcr->cr_rgid = rgid;
/*
* A process that gives up its privilege
* must be marked to produce no core dump.
*/
if ((cr->cr_gid != newcr->cr_gid ||
cr->cr_rgid != newcr->cr_rgid ||
cr->cr_sgid != newcr->cr_sgid))
do_nocd = 1;
crfree(cr);
}
mutex_exit(&p->p_crlock);
if (error == 0) {
if (do_nocd) {
mutex_enter(&p->p_lock);
p->p_flag |= SNOCD;
mutex_exit(&p->p_lock);
}
crset(p, newcr); /* broadcast to process threads */
goto done;
}
crfree(newcr);
done:
if (error)
return (set_errno(error));
else
return (0);
}
int
setgroups(int gidsetsize, gid_t *gidset)
{
proc_t *p;
cred_t *cr, *newcr;
int i;
int n = gidsetsize;
int error;
int scnt = 0;
ksidlist_t *ksl = NULL;
zone_t *zone;
struct credgrp *grps = NULL;
/* Perform the cheapest tests before grabbing p_crlock */
if (n > ngroups_max || n < 0)
return (set_errno(EINVAL));
zone = crgetzone(CRED());
if (n != 0) {
const gid_t *groups;
grps = crgrpcopyin(n, gidset);
if (grps == NULL)
return (set_errno(EFAULT));
groups = crgetggroups(grps);
for (i = 0; i < n; i++) {
if (!VALID_GID(groups[i], zone)) {
crgrprele(grps);
return (set_errno(EINVAL));
}
if (groups[i] > MAXUID)
scnt++;
}
if (scnt > 0) {
ksl = kcrsid_gidstosids(zone, n, (gid_t *)groups);
if (ksl == NULL) {
crgrprele(grps);
return (set_errno(EINVAL));
}
}
}
/*
* Need to pre-allocate the new cred structure before acquiring
* the p_crlock mutex.
*/
newcr = cralloc_ksid();
p = ttoproc(curthread);
mutex_enter(&p->p_crlock);
retry:
cr = p->p_cred;
crhold(cr);
mutex_exit(&p->p_crlock);
if ((error = secpolicy_allow_setid(cr, -1, B_FALSE)) != 0) {
if (grps != NULL)
crgrprele(grps);
if (ksl != NULL)
ksidlist_rele(ksl);
crfree(newcr);
crfree(cr);
return (set_errno(error));
}
mutex_enter(&p->p_crlock);
crfree(cr);
if (cr != p->p_cred)
goto retry;
crdup_to(cr, newcr);
crsetsidlist(newcr, ksl);
crsetcredgrp(newcr, grps);
p->p_cred = newcr;
crhold(newcr); /* hold for the current thread */
crfree(cr); /* free the old one */
mutex_exit(&p->p_crlock);
/*
* Broadcast new cred to process threads (including the current one).
*/
crset(p, newcr);
return (0);
}
int
setuid(uid_t uid)
{
proc_t *p;
int error;
int do_nocd = 0;
int uidchge = 0;
cred_t *cr, *newcr;
uid_t oldruid = uid;
zoneid_t zoneid = getzoneid();
ksid_t ksid, *ksp;
zone_t *zone = crgetzone(CRED());
if (!VALID_UID(uid, zone))
return (set_errno(EINVAL));
if (uid > MAXUID) {
if (ksid_lookupbyuid(zone, uid, &ksid) != 0)
return (set_errno(EINVAL));
ksp = &ksid;
} else {
ksp = NULL;
}
/*
* Need to pre-allocate the new cred structure before grabbing
* the p_crlock mutex. We can't hold on to the p_crlock for most
* if this though, now that we allow kernel upcalls from the
* policy routines.
*/
newcr = cralloc_ksid();
p = ttoproc(curthread);
retry:
mutex_enter(&p->p_crlock);
retry_locked:
cr = p->p_cred;
crhold(cr);
mutex_exit(&p->p_crlock);
if ((uid == cr->cr_ruid || uid == cr->cr_suid) &&
secpolicy_allow_setid(cr, uid, B_TRUE) != 0) {
mutex_enter(&p->p_crlock);
crfree(cr);
if (cr != p->p_cred)
goto retry_locked;
error = 0;
crcopy_to(cr, newcr);
p->p_cred = newcr;
newcr->cr_uid = uid;
crsetsid(newcr, ksp, KSID_USER);
mutex_exit(&p->p_crlock);
} else if ((error = secpolicy_allow_setid(cr, uid, B_FALSE)) == 0) {
mutex_enter(&p->p_crlock);
crfree(cr);
if (cr != p->p_cred)
goto retry_locked;
if (!uidchge && uid != cr->cr_ruid) {
/*
* The ruid of the process is going to change. In order
* to avoid a race condition involving the
* process-count associated with the newly given ruid,
* we increment the count before assigning the
* credential to the process.
* To do that, we'll have to take pidlock, so we first
* release p_crlock.
*/
mutex_exit(&p->p_crlock);
uidchge = 1;
mutex_enter(&pidlock);
upcount_inc(uid, zoneid);
mutex_exit(&pidlock);
/*
* As we released p_crlock we can't rely on the cr
* we read. So retry the whole thing.
*/
goto retry;
}
/*
* A privileged process that gives up its privilege
* must be marked to produce no core dump.
*/
if (cr->cr_uid != uid ||
cr->cr_ruid != uid ||
cr->cr_suid != uid)
do_nocd = 1;
oldruid = cr->cr_ruid;
crcopy_to(cr, newcr);
p->p_cred = newcr;
newcr->cr_ruid = uid;
newcr->cr_suid = uid;
newcr->cr_uid = uid;
crsetsid(newcr, ksp, KSID_USER);
priv_reset_PA(newcr, B_TRUE);
ASSERT(uid != oldruid ? uidchge : 1);
mutex_exit(&p->p_crlock);
} else {
crfree(newcr);
crfree(cr);
if (ksp != NULL)
ksid_rele(ksp);
}
/*
* We decrement the number of processes associated with the oldruid
* to match the increment above, even if the ruid of the process
* did not change or an error occurred (oldruid == uid).
*/
if (uidchge) {
mutex_enter(&pidlock);
upcount_dec(oldruid, zoneid);
mutex_exit(&pidlock);
}
if (error == 0) {
if (do_nocd) {
mutex_enter(&p->p_lock);
p->p_flag |= SNOCD;
mutex_exit(&p->p_lock);
}
crset(p, newcr); /* broadcast to process threads */
return (0);
}
return (set_errno(error));
}
/*
* Buy-back from SunOS 4.x
*
* Like setuid() and seteuid() combined -except- that non-root users
* can change cr_ruid to cr_uid, and the semantics of cr_suid are
* subtly different.
*/
int
setreuid(uid_t ruid, uid_t euid)
{
proc_t *p;
int error = 0;
int do_nocd = 0;
int uidchge = 0;
uid_t oldruid = ruid;
cred_t *cr, *newcr;
zoneid_t zoneid = getzoneid();
ksid_t ksid, *ksp;
zone_t *zone = crgetzone(CRED());
if ((ruid != -1 && !VALID_UID(ruid, zone)) ||
(euid != -1 && !VALID_UID(euid, zone)))
return (set_errno(EINVAL));
if (euid != -1 && euid > MAXUID) {
if (ksid_lookupbyuid(zone, euid, &ksid) != 0)
return (set_errno(EINVAL));
ksp = &ksid;
} else {
ksp = NULL;
}
/*
* Need to pre-allocate the new cred structure before grabbing
* the p_crlock mutex.
*/
newcr = cralloc_ksid();
p = ttoproc(curthread);
retry:
mutex_enter(&p->p_crlock);
retry_locked:
crhold(cr = p->p_cred);
mutex_exit(&p->p_crlock);
if (ruid != -1 && ruid != cr->cr_ruid && ruid != cr->cr_uid &&
secpolicy_allow_setid(cr, ruid, B_FALSE) != 0) {
mutex_enter(&p->p_crlock);
crfree(cr);
if (cr != p->p_cred)
goto retry_locked;
error = EPERM;
} else if (euid != -1 &&
euid != cr->cr_ruid && euid != cr->cr_uid &&
euid != cr->cr_suid && secpolicy_allow_setid(cr, euid, B_FALSE)) {
mutex_enter(&p->p_crlock);
crfree(cr);
if (cr != p->p_cred)
goto retry_locked;
error = EPERM;
} else {
mutex_enter(&p->p_crlock);
crfree(cr);
if (cr != p->p_cred)
goto retry_locked;
if (!uidchge && ruid != -1 && cr->cr_ruid != ruid) {
/*
* The ruid of the process is going to change. In order
* to avoid a race condition involving the
* process-count associated with the newly given ruid,
* we increment the count before assigning the
* credential to the process.
* To do that, we'll have to take pidlock, so we first
* release p_crlock.
*/
mutex_exit(&p->p_crlock);
uidchge = 1;
mutex_enter(&pidlock);
upcount_inc(ruid, zoneid);
mutex_exit(&pidlock);
/*
* As we released p_crlock we can't rely on the cr
* we read. So retry the whole thing.
*/
goto retry;
}
crhold(cr);
crcopy_to(cr, newcr);
p->p_cred = newcr;
if (euid != -1) {
newcr->cr_uid = euid;
crsetsid(newcr, ksp, KSID_USER);
}
if (ruid != -1) {
oldruid = newcr->cr_ruid;
newcr->cr_ruid = ruid;
ASSERT(ruid != oldruid ? uidchge : 1);
}
/*
* "If the real uid is being changed, or the effective uid is
* being changed to a value not equal to the real uid, the
* saved uid is set to the new effective uid."
*/
if (ruid != -1 ||
(euid != -1 && newcr->cr_uid != newcr->cr_ruid))
newcr->cr_suid = newcr->cr_uid;
/*
* A process that gives up its privilege
* must be marked to produce no core dump.
*/
if ((cr->cr_uid != newcr->cr_uid ||
cr->cr_ruid != newcr->cr_ruid ||
cr->cr_suid != newcr->cr_suid))
do_nocd = 1;
priv_reset_PA(newcr, ruid != -1 && euid != -1 && ruid == euid);
crfree(cr);
}
mutex_exit(&p->p_crlock);
/*
* We decrement the number of processes associated with the oldruid
* to match the increment above, even if the ruid of the process
* did not change or an error occurred (oldruid == uid).
*/
if (uidchge) {
ASSERT(oldruid != -1 && ruid != -1);
mutex_enter(&pidlock);
upcount_dec(oldruid, zoneid);
mutex_exit(&pidlock);
}
if (error == 0) {
if (do_nocd) {
mutex_enter(&p->p_lock);
p->p_flag |= SNOCD;
mutex_exit(&p->p_lock);
}
crset(p, newcr); /* broadcast to process threads */
return (0);
}
crfree(newcr);
if (ksp != NULL)
ksid_rele(ksp);
return (set_errno(error));
}
int
seteuid(uid_t uid)
{
proc_t *p;
int error = EPERM;
int do_nocd = 0;
cred_t *cr, *newcr;
ksid_t ksid, *ksp;
zone_t *zone = crgetzone(CRED());
if (!VALID_UID(uid, zone))
return (set_errno(EINVAL));
if (uid > MAXUID) {
if (ksid_lookupbyuid(zone, uid, &ksid) != 0)
return (set_errno(EINVAL));
ksp = &ksid;
} else {
ksp = NULL;
}
/*
* Need to pre-allocate the new cred structure before grabbing
* the p_crlock mutex.
*/
newcr = cralloc_ksid();
p = ttoproc(curthread);
mutex_enter(&p->p_crlock);
retry:
crhold(cr = p->p_cred);
mutex_exit(&p->p_crlock);
if (uid == cr->cr_ruid || uid == cr->cr_uid || uid == cr->cr_suid ||
(error = secpolicy_allow_setid(cr, uid, B_FALSE)) == 0) {
/*
* A privileged process that makes itself look like a
* set-uid process must be marked to produce no core dump,
* if the effective uid did changed.
*/
mutex_enter(&p->p_crlock);
crfree(cr);
if (cr != p->p_cred)
goto retry;
if (cr->cr_uid != uid && error == 0)
do_nocd = 1;
error = 0;
crcopy_to(cr, newcr);
p->p_cred = newcr;
newcr->cr_uid = uid;
crsetsid(newcr, ksp, KSID_USER);
priv_reset_PA(newcr, B_FALSE);
mutex_exit(&p->p_crlock);
if (do_nocd) {
mutex_enter(&p->p_lock);
p->p_flag |= SNOCD;
mutex_exit(&p->p_lock);
}
crset(p, newcr); /* broadcast to process threads */
return (0);
}
crfree(newcr);
crfree(cr);
if (ksp != NULL)
ksid_rele(ksp);
return (set_errno(error));
}